Open Bug 1079403 (mobile-passwords) Opened 5 years ago Updated 2 years ago

[meta] Mobile client-side password system improvements

Categories

(Firefox for Android :: Logins, Passwords and Form Fill, defect, P5)

All
Android
defect

Tracking

()

People

(Reporter: mfinkle, Unassigned)

References

(Depends on 11 open bugs)

Details

(Keywords: meta)

Attachments

(1 file, 1 obsolete file)

There are a few small-scoped improvements we can make to the password system without any new Cloud Service work.
Depends on: 1079410
Before Mozilla, I worked 3 years on a multi-platform cloud password manager and have a few opinions on the matter. :)

IMO, The Most Important Thing for a password manager is how many sites/applications it "works with", meaning it can both "save" and fill" the username/password. I'll a take password manager with no password generation, no local encryption, no password sharing, and no password analysis that handles 100% of my accounts over a feature rich password manager that only handles 75% of my accounts. I want a password manager that does its main job extremely well. 

That said, making a password manager with a high level of site support is hard, even if we just limit the discussion to Web contexts. When I hear people complain about their password manager, it's usually because it occasionally doesn't "work", meaning the capturing or filling inexplicably fails without an intuitive way to recover. Robust password capturing/filling on the Web is a tricky heuristic, primarily because sites build their login forms with all sorts of "richness" and "diversity", e.g., 

* no HTML forms present, just input fields with Javascript handlers
* AJAX logins
* dynamic login forms that aren't present on page load, and may only appear after user interaction
* sites which munge the username or password in the input field
* "rich" UX that reacts to onblur and onfocus events on the input fields
* multiple username fields
* multiple password fields (WTF, https://enrollonline.com/mozilla)
* multi-stage logins (username on one page, password on the next)
* "lone" password fields, either with a pre-filled username or no username field present

More excitement:

* multiple realms on the same domain (e.g., different password for different mailing lists, but all on the same domain)
* a single realm that spans multiple domains (e.g., https://online.citibank.com/ and https://www.citi.com/ take the same credentials)
* handling password change and password reset pages (These are really hard to test, either manually or automatically, and the username often isn't available.)
* the whole "native app" thing

My suggestions for building a fantastic password manager:

* Build the best login form detection/filling engine, and have an automated way to measure its efficacy. This engine will need to have many heuristics that work in general, but I've found a lightweight cloud-based configuration system is typically required to get the trickiest sites working (there's opportunity for community involvement here). 

* Aggressively remove features. A password manager for the masses needs to have a simple, intuitive interface, not synthesizer controls. 

* Make it available everywhere the user needs her passwords. Cloud based, all platforms.

One challenge with password managers is that many people still don't use them. Why? User research can probably help us, but I have some hypotheses:

* The user isn't sold on the value prop. If a user has the same password everywhere, why use a password manager?
* The user doesn't trust it. It seems "creepy". Can't anyone just walk up to my machine and log in to my Facebook account?

IMO, these also need to be addressed to get wide adoption, but the basic efficacy issue is The Most Important Thing.

I have a list of test login credentials for tricky and popular sites. When do we start?
Coincidentally, I was originally hired by Mozilla to "make a better password manager", a project which was canned in favor of Firefox Accounts/PICL.
Keywords: meta
OS: Linux → Android
Hardware: x86_64 → All
Related: I recently proposed adding an auto-remember password feature to Firefox.
https://www.lucidchart.com/publicSegments/view/542acc58-08d4-4e4f-878f-2b060a00c285/image.png
Would be an improvement for two reasons:
1. Would save users a click when they just wanted to save all passwords
2. Would also allow them to view the username and change it if guessed wrong
Depends on: 1081285
Depends on: 555755
I started working on an add-on to try out some of the client-side password improvements we have been talking about. I thought I'd post it to get some feedback and ideas.

The add-on is here and only works in Fennec for now:
http://people.mozilla.org/~mfinkle/passwords/passwords.xpi
source code: https://github.com/mfinkle/passwords

It adds a "Password Tools" menu to the normal "Tools" menu:
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-menu.png

You can try it out on your own data, but if you want to play around in a clean profile, use the "Add Fake Logins" action to add some test data to your profile.

Then use the "List" action to display a simple Password manager:
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list.png

Tap on a row to see some details:
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list-detail.png

I ported most of the excellent "zxcvbn" password strength checker from Dropbox into the add-on. More info on it here:
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

You can run an audit on your login data using the "Audit" action:
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-audit.png

I created 3 types of audits for now: Weak passwords, Duplicate passwords (same password used on multiple sites) and Old passwords (passwords that have not been changed in over 90 days)

To help create stronger passwords, I added a simple (crappy) UI to make passwords based on two strategies:
1. Use the website domain and a master password, then hash using MD5 (or something)
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-domain.png

2. Pick the parts of your password from different character sets (lowercase, uppercase, digits and symbols), with minimum character counts for each and a way to exclude some characters. The result is created by randomly picking characters from the selected sets.
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-sets.png

Lastly, I added a feature that let's you "peek" at a password field as plain text for 5 seconds. It's on the menu, but use the ActionBar instead:
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-peek-before.png
http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-peek-after.png
I plan to start making some toolkit patches for the PasswordGenerator and PasswordStrength JSMs.

I also want to start making some Fennec patches for an interactive password strength panel that displays below a password <input> and shows the strength as you type. I should give you a way to see the reasoning for the strength score, as well as offer a way to generate (and save) a stronger password.
(In reply to Mark Finkle (:mfinkle) from comment #4)
> I started working on an add-on to try out some of the client-side password
> improvements we have been talking about. I thought I'd post it to get some
> feedback and ideas.
> 

Exciting work Mark!

> Then use the "List" action to display a simple Password manager:
> http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list.png

Suggested additions:

* Search
* Sort by (alpha, (f)recently used)
* Deletion from here?
* Where can I manually add a set of credentials?

> Tap on a row to see some details:
> http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list-detail.png

Suggested additions:

* Delete
* Edit
* Show password

 
> I ported most of the excellent "zxcvbn" password strength checker from
> Dropbox into the add-on. More info on it here:
> https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-
> estimation/
> 
> You can run an audit on your login data using the "Audit" action:
> http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-audit.png
> 
> I created 3 types of audits for now: Weak passwords, Duplicate passwords
> (same password used on multiple sites) and Old passwords (passwords that
> have not been changed in over 90 days)

I have mixed feelings about these analysis tools for the typical user. Here's why. Ideally, we should all use long, unique, computer generated passwords. But we don't, for a variety of reasons. For example, good luck using a 20 random char password for your iOS app store password, unless you really love mobile typing acrobatics. There are other rational coping mechanisms that result in less than optimal, but probably still ok passwords. I personally don't like shaming the user because they had to compromise to deal with password hell. 

I don't know what the right decision is here, but I'd start with a less noisy analyzer and focus on obvious big wins. Thoughts:

* Point out really dirty passwords, like ones on the top 100 most commonly used list. 
* Visualize password re-use. This is where bad stuff happens. Re-using your facebook password at a music lyric site. Randomly generated passwords are obviously a solution here, but there are other more human-friendly options, too, that we could propose to the user.

> To help create stronger passwords, I added a simple (crappy) UI to make
> passwords based on two strategies:
> 1. Use the website domain and a master password, then hash using MD5 (or
> something)
> http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-
> domain.png
> 
> 2. Pick the parts of your password from different character sets (lowercase,
> uppercase, digits and symbols), with minimum character counts for each and a
> way to exclude some characters. The result is created by randomly picking
> characters from the selected sets.
> http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-sets.
> png

Simplify. I'd prefer fewer synthesizer controls in the "Generate from Sets". Ideally, there is only one option: give me a pretty good password that likely meets the criteria imposed by most sites. I assert that error recovery here can be handled by manually editing. 

I don't like the "Generate from Domain" option because it has no good solution to the "Change just this password I generated by domain, but not my others that I generated by domain". 

One thing about password generation: we better remember it for the user and bind it to the site/domain, and if we don't for some reason (and we won't sometimes), then we need to provide sufficient recovery mechanisms.

These kinds of improvements are important and necessary, but we must not forget the dirty business of improving the low level capturing and filling. :)
Depends on: password-ui
Talked to antlam today, and we worked out a passwords UI for about:passwords via whiteboard.

This covers the main actions (reveal, copy password, open-page-and-fill, delete) as well as an insertion point for how we'd want to do add/edit passwords.
Alias: mobile-passwords
Blocks: 1101743
No longer blocks: 1101743
Attached image prev_pw_mock1.png (obsolete) —
Attaching a WIP of the whiteboard sketch.

UI is very much in flux ATM, the idea is just to have these contextual actions related to the list item appear near it. Maybe the action bar might be a better area for this.

Note: the icons are all reused from other parts of our UI (same sizes and color too). + is from tablet tool bar, magnifying glass and 'x' is from mobile/tablet tool bar.
Comment on attachment 8540879 [details]
prev_pw_mock1.png

Mocks have been updated in bug 1101741
Attachment #8540879 - Attachment is obsolete: true
Depends on: 1122225
QA Contact: cristina.madaras
Summary: [meta] Client-side password system improvements → [meta] Mobile client-side password system improvements
Depends on: 1088220
Depends on: 1136477
Depends on: 1144385
QA Contact: cristina.madaras → ioana.chiorean
Depends on: 1147197
Depends on: 1147211
Depends on: 1153224
Depends on: 1162254
Depends on: 1162255
Depends on: 1155345
Depends on: 1154367
Depends on: 1144413
Depends on: 1163808
At first I didn't read the complete bug report here so if I'm repeating a request then sorry for this.

For a nice thing how you can do a good password manager look at this addon: https://addons.mozilla.org/en-US/android/addon/mobile-password-manager/
It has some nice feature, including the possibility to edit passwords on Android.

Secondly maybe a kind of - optional - restoring function would be useful (depending how "easy" it is to delete password). Maybe let the user choose how many hours or days a password will just disappears from the (normal view of the) password manager, but is still somehow restorable.
This of course would also be an idea for the desktop password manager.
No longer depends on: 1114821
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.